EIP-3779: Safer Control Flow for the EVM

Abstract

---

We define a safe EVM contract as one that cannot encounter an exceptional halting state. In general, we cannot prove safety for Turing-complete programs. But we can prove a useful subset.

This EIP specifies validity rules to ensure that:

Valid contracts will not halt with an exception unless they either

• throw out of gas or
• recursively overflow stack.

This EIP does not introduce any new opcodes. Rather, it restricts the use of existing and proposed control-flow instructions. The restrictions must be validated at contract initialization time – not at runtime – by the provided algorithm or its equivalent. This algorithm must take time and space near-linear in the size of the contract, so as not to be a denial of service vulnerability.

This specification is entirely semantic. It imposes no further syntax on bytecode, as none is required to ensure the specified level of safety. Ethereum Virtual Machine bytecode is just that -- a sequence of bytes that when executed causes a sequence of changes to the machine state. The safety we seek here is simply to not, as it were, jam up the gears.

Motivation

---

Safety

For our purposes we define a safe EVM contract as one that cannot encounter an exceptional halting state. From the standpoint of security it would be best if unsafe contracts were never placed on the blockchain. Unsafe code can attempt to overflow stack, underflow stack, execute invalid instructions, and jump to invalid locations.

Unsafe contracts are exploits waiting to happen.

Validating contract safety requires traversing the contract code. So in order to prevent denial of service attacks all jumps, including the existing JUMP and JUMPI, and also the other proposed jumps -- RJUMP, RJUMPI, RJUMPSUB and RETURNSUB -- must be validated at initialization time, and in time and space linear in the size of the code.

Static Jumps and Subroutines

The relative jumps of EIP-4200 and the simple subroutines of EIP-2315 provide a complete set of static control flow instructions:

RJUMP offset

• Jumps to IP+offset.

RJUMPI offset

• Jumps if the top of stack is non-zero.

RJUMPSUB offset

• Pushes IP+1 on the return stack and jumps to IP+offset.

RETURNSUB

• Jumps to the address popped off the return stack.

Note that each jump creates at most two paths of control through the code, such that the complexity of traversing the entire control-flow graph is linear in the size of the code.

Dynamic Jumps

Dynamic jumps, where the destination of a JUMP or JUMPI is not known until runtime, are an obstacle to proving validity in linear time -- any jump can be to any destination in the code, potentially requiring time quadratic in the size of code. For this reason we have two real choices.

1. Deprecate dynamic jumps. This is easily done:

Define JUMP and JUMPI as INVALID for the purposes of EOF Code Validation

2. Constrain dynamic jumps. This requires static analysis.

Consider the simplest and most common case.

This is effectively a static jump.

Another important use of JUMP is to implement the return jump from a subroutine. So consider this example of calling and returning from a minimal subroutine:

The return address -RTN_SQUARE - and the destination address - SQUARE - are pushed on the stack as constants and remain unchanged as they move on the stack, such that only those constants are passed to each JUMP. They are effectively static. We can track the motion of constants on the data stack at validation time, so we do not need unconstrained dynamic jumps to implement subroutines.

The above is the simplest analysis that suffices. A more powerful analysis that takes in more use cases is possible -- slower, but still linear-time.

Validation

We can validate the safety of contracts with a static analysis that takes time and space linear in the size of the code, as shown below. And since we can, we should.

Performance

Validating safe control flow at initialization time has potential performance advantages.

• Static jumps do not need to be checked at runtime.
• Stack underflow does not need to be checked for at runtime.

Specification

---

Validity

In theory, theory and practice are the same. In practice, they're not. -- Albert Einstein

We define a safe EVM contract as one that cannot encounter an exceptional halting state. We validate safety at initialization time to the extent practical.

Exceptional Halting States

The execution of each instruction is defined in the Yellow Paper as a change to the EVM state that preserves the invariants of EVM state. At runtime, if the execution of an instruction would violate an invariant the EVM is in an exceptional halting state. The Yellow Paper defined five such states.

1. Insufficient gas
2. More than 1024 stack items
3. Insufficient stack items
4. Invalid jump destination
5. Invalid instruction

A program is safe iff no execution can lead to an exceptional halting state.

We would like to consider EVM programs valid iff they are safe.

In practice, we must be able to validate code in linear time to avoid denial of service attacks. And we must support dynamically-priced instructions, loops, and recursion, which can use arbitrary amounts of gas and stack.

Thus our validation cannot consider concrete computations -- it only performs a limited symbolic execution of the code. This means we will reject programs if we detect any invalid execution paths, even if those paths are not reachable at runtime. And we will count as valid programs that may not always produce correct results.

We can detect only non-recursive stack overflows at validation time, so we must check for the first two states at runtime:

• out of gas and
• stack overflow.

The remaining three states we can check at validation time:

• stack underflow,
• invalid jump, and
• invalid instruction.

That is to say:

Valid contracts will not halt with an exception unless they either

• throw out of gas or
• recursively overflow stack.

Constraints on Valid Code

• Every instruction is valid.
• Every jump is valid:
  • EveryJUMP and JUMPI is static.
  • No JUMP, JUMPI, RJUMP, RJUMPI, or RJUMPSUB addresses immediate data.
• The stacks are always valid:
  • The number of items on the data stack is always positive, and at most 1024.
  • The number of items on the return stack is always positive, and at most 1024.
• The data stack is consistently aligned:
  • The number of items on the data stack between the current stack pointer and the stack pointer on entry to the most recent basic block is the same for each execution of a byte_code.

We define a JUMP or JUMPI instruction to be static if its jumpsrc argument was first placed on the stack via a PUSH… and that value has not changed since, though it may have been copied via a DUP… or SWAP….

The RJUMP, RJUMPI and RJUMPSUBinstructions take their destination as an immediate argument, so they are static.

Taken together, these rules allow for code to be validated by traversing the control-flow graph, in time and space linear in the size of the code, following each edge only once.

Note: The definition of 'static' for JUMP and JUMPI is the bare minimum needed to implement subroutines. Deeper analyses could be proposed that would validate a larger and probably more useful set of jumps, at the cost of more expensive (but still linear) validation.

Rationale

---

Demanding static destinations for all jumps means that all jump destinations can be validated at initialization time, not runtime.

Bounding the stack pointers catches all data stack and non-recursivereturn stack overflows.

Requiring a consistently aligneddata stack prevents stack underflow. It can also catch such errors as misaligned stacks due to irreducible control flows and calls to subroutines with the wrong number of arguments.

Backwards Compatibility

---

These changes affect the semantics of EVM code – the use of JUMP, JUMPI, and the stack are restricted, such that some code that would otherwise run correctly will nonetheless be invalid EVM code.

Reference Implementation

---

The following is a pseudo-Go implementation of an algorithm for predicating code validity. An equivalent algorithm must be run at initialization time.

This algorithm performs a symbolic execution of the program that recursively traverses the code, emulating its control flow and stack use and checking for violations of the rules above.

It runs in time equal to O(vertices + edges) in the program's control-flow graph, where edges represent control flow and the vertices represent basic blocks -- thus the algorithm takes time proportional to the size of the code.

Note: All valid code has a control-flow graph that can be traversed in time and space linear in the length of the code. That means that some other static analyses and code transformations that might otherwise require quadratic time can also be written to run in near-linear time, including one-pass and streaming compilers.

Validation Function

Note: This function is a work in progress, and the version below is known to be incorrect.

For simplicity's sake we assume that jumpdest analysis has been done and that we have some helper functions.

• isValidInstruction(pc) returns true if pc points at a valid instruction
• isValidJumpdest(dest) returns true if dest is a valid jumpdest
• immediateData(pc) returns the immediate data for the instruction at pc.
• advancePC(pc) returns next pc, skipping any immediate data.
• removed_items(pc) returns the number of items removed from the dataStack by the instruction at pc.
• added_items(pc) returns the number of items added to the dataStack by the instruction at pc.

Security Considerations

---

This EIP is intended to ensure an essential level of safety for EVM code deployed on the blockchain.

Copyright

---

Copyright and related rights waived via CC0.